credit:Aftersnows
A stored Cross-Site Scripting (XSS) vulnerability was discovered in WebSocket session transmission. An attacker can inject malicious content into a WebSocket message. When a victim accesses this session, the malicious JavaScript is executed in the victim's browser.
When reproducing the issue, please note: you need to select an existing conversation name, such as the name 'word1' of a new conversation that was created, and then proceed with the reproduction.
When reproducing this vulnerability, be sure to select 'fn_index': 35.
https://github.com/user-attachments/assets/649f454c-0a0e-4896-ac1e-b55e233be605
First, create a conversation name of any name (I choose 'word1' here), then transmit a message via WebSocket, with the payload as follows:
{"data":[null,"word1",[["<div class=\\"user-message\\">word1</div>","<img src=x onerror=alert(document.domain)><div class=\\"raw-message hideM\\"></div><div class=\\"md-message\\">\\n\\n\\n</div>"]],"新对话 08-22 16-12"],"event_data":null,"fn_index":35,"session_hash":"bvtzvj4lb2"}
(Or the post method works)
https://github.com/user-attachments/assets/48d29ace-201d-49a5-8342-bc0b38e42099
This payload will be stored on the server, waiting for the next person to engage in this conversation, at which point an attack can be carried out.
https://github.com/user-attachments/assets/3e486f6f-b433-4f59-b8ed-46fed30ed076
A stored Cross-Site Scripting (XSS) vulnerability was discovered in WebSocket session transmission. An attacker can inject malicious content into a WebSocket message. When a victim accesses this session, the malicious JavaScript is executed in the victim's browser.
Attackers can inject malicious scripts that steal sensitive user data, such as login credentials, personal information, and payment details. This can lead to identity theft and financial loss for users.
Malicious scripts can hijack user sessions by stealing session cookies. This allows attackers to impersonate users and gain unauthorized access to their accounts.